Tuesday, September 3, 2013

Update - Sept 4, 2013I added more descriptions and changed NjRat / Backdoor.LV to Vidgrab - in the traffic communications are similar to NjRat/Backdoor;lv but it does not use base64 and sends initial request starting with ...3 (0x01 0x00 0x00 0x00 0x33) followed by null bytes - it does not start with lv|I am still looking for names for a few other backdoors below, so if you recognize them, please let me know.

Recently, my custom sandbox has been trying to open some Word attachments in a browser because the filetype fingerprint service detected them as MIME HTML files. Browsers are usually the default applications for such types and they did contain the CVE-2012-0158 exploit. A quick Google lookup yielded a May 2013 report from the Chinese company Antiy "The Latest APT Attack by Exploiting CVE-2012-0158 Vulnerability", which described this new exploit vector.
Antiy noted that these MHTML files evade antivirus and indeed only half of vendors represented on Virustotal detect. However, many companies rely on their automated tools, inline and standalone sandboxes not just Antivirus to determine if the file is malicious.

I checked how these files (file without any extension) were processed by other commercial and open source mailboxes. 3 out of 5 well known commercial and open source mail scan and web sandbox vendors returned no output or informed me that that filetype was not supported. While writing this post, I noticed that Malwaretracker also mentioned the rise in this vector usage in his post on Friday, so I am sure the sandbox vendors are fixing the issue as we speak.

I checked 25 MHTML CVE-2012-0158 files and compared their targets (at least those I could obtain) and payload. The analysis showed a good variety of trojans and predominantly human rights (Tibet, Uyghur) activists. I will post a month worth of these files.

Friday, August 9, 2013

The library of malware traffic patterns have been popular. We found it very useful as well ourselves and we encourage you to send your contributions. I know at some point the spreadsheet will become unwieldy but I personally find it the most easy way (easy sort, search etc)

Currently, most of the samples described have the corresponding samples and pcaps available for download (email Mila @contagio for the password)

Wednesday, August 7, 2013

Hope it is not a copyright violation and won't cause too much hate. I know Defcon will post better and complete data soon but many / most attendees did not receive the presentation CDs to their great sadness because there were not enough CDs available for all. Many authors and attendees published Defcon and Blackhat presentations online as well -you can track them via Twitter

You can download it here for now. Check Defcon website often, they will post it soon. The list of files of the speaker materials is below. The zip file also includes short stories. Please note that some presentations submitted for the DVD were somewhat / significantly different from what was presented. But better this than nothing, right?

Saturday, June 1, 2013

Exploits directed at Wordpress and/or Joomla content management systems(CMS) have been increasing at a dramatic rate over the past year. Internet blogs and forums are flooded with posts about hacked CMS installations. Popular jargon refers to the attackers as "hackers", but it is generally understood that these mass compromises are being performed via automated scanners and tools. However, we believe that there is not enough coverage of the actual malware involved.

Monday, May 6, 2013

Traffic analysis has been the primary method of malware identification and thousands of IDS signatures developed are the daily proof. Signatures definitely help but ability to visually recognize malware traffic patterns and see the trends when they change has been always an important skill for anyone tasked with network defense. The number of malware analysis blogs and papers is overwhelming and it is difficult to keep track of malware features if you don't have access to a well designed and constantly updated malware database. This started as "personal notes" spreadsheet with GET and POST requests for different malware families with information from open sources. We decided others might find it useful too.

Wednesday, April 24, 2013

This is a detailed MD5 listing of CVE-2013-0640 pdf files that were posted earlier. I got a few requests for samples that were already posted as a pack in this post ( 16,800 clean and 11,960 malicious files for signature testing and research.) Now you can see them in all their glory below.
I can post listings for other malware from that large post if there is need and interest.

Sunday, March 24, 2013

Signature and security product testing often requires large numbers of sorted malicious and clean files to eliminate false positives and negatives. They are not always easy to find, but here are some that I have.

Clean documents are collected from various open sources. All the copyright rights belong the the authors of each document and file. You must not use the documents for their content but only as samples of particular file types.

Sunday, March 3, 2013

These are the samples described in the Mandiant Report APT1, in the Indicators of Compromise (IOCs). Each file is named according to the malware family, so you can run your own detection and signature tools to see how your naming convention corresponds to the one used by Mandiant.

You can use these binaries to develop signatures, compare to your samples, or study the behavior and evolution of APT1.
I added Contagio samples in several families as well.
The list of binaries and their names, as well as malware families descriptions are provided below for your convenience.

Sunday, February 10, 2013

FireEye posted details about the sleep function found in
Kelihos/Hlux (An
encounter with Trojan Nap),
which is interesting, and indeed is present in some of the samples we saw. The
trojan, of course, has many more features, and most of them were documented in
previous publications online. This post is a quick update on the state of
Kelihos/Hlux botnet, along with the list of known fast flux domains (1500+)
associated with with Kelihos distribution or Command&Control. (current >
2012). The current and most active name servers are pointing to the
ns[1-6].boomsco.com, ns[1-6].larstor.com, and ns[1-6].zempakiv.ru which are also
fast flux domains. The double fast flux nature of the botnet makes it very
difficult to take down, and sinkholing is a temporary measure. Despite the two
large attempts to take it down (Sep.2011 and Mar. 2012), the botnet is
definitely on the rise again.

Latest investigation have been done by Maher center in cyber space identified a new targeted data wiping malware. Primitive analysis revealed that this malware wipes files on different drives in various predefined times. Despite its simplicity in design, the malware is efficient and can wipe disk partitions and user profile directories without being recognized by anti-virus software. However, it is not considered to be widely distributed. This targeted attack is simple in design and it is not any similarity to the other sophisticated targeted attacks. The identified components of this threat are listed in the following table:

Malware samples are available for download by any responsible whitehat researcher. By downloading the samples, anyone waives all rights to claim punitive, incidental and consequential damages resulting from mishandling or self-infection.